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Abstract — For an arbitrary degree distribution pair (DDP), we 
construct a sequence of low-density parity-check (LDPC) code 
ensembles with girth growing logarithmically in block-length 
using Ramanujan graphs. When the DDP has minimum left 
degree at least three, we show using density evolution analysis 
that the expected bit-error probability of these ensembles, when 
passed through a binary erasure channel with erasure probability 
e, decays as C(exp( —cin c ' 2 )) with the block-length n for positive 
constants ci and a, as long as e is less than the erasure threshold 
eth of the DDP. This guarantees that the coset coding scheme 
using the dual sequence provides strong secrecy over the binary 
erasure wiretap channel for erasure probabilities greater than 
1 — eth- 



I. Introduction 

The notion of information-theoretic security on a communi- 
cation system with a passive eavesdropper was first introduced 
by Shannon in fT). This model consists of three parties — 
Alice, Bob and Eve; Alice wants to convey a secret message 
5 to Bob without revealing it to Eve, who can passively 
intercept the transmission. Shannon's model involves noiseless 
communication channels and secret communication can be 
achieved only if Alice and Bob share an encryption key that 
is not known to Eve. Alice converts the message 5 into an n- 
symbol cryptogram X n using the key K and transmits the 
cryptogram to Bob. The communication scheme is said to 
attain perfect secrecy if I(S;X n ) — 0. Shannon proved that 
perfect secrecy is guaranteed only if M(K) > H(5). In other 
words, Alice and Bob must share a secret key that is at least 
as long as the confidential message. 

Wyner [2] introduced an alternate model called the wiretap 
channel where communication occurs over noisy channels, 
with Eve receiving a degraded version of the signal received 
by Bob. Csiszar-Korner 1 3 1 considered a generalization of this 
model where Eve's reception need not be a degraded version of 
Bob's received signal. In these models, it is possible to achieve 
secret communication without using a pre-shared encryption 
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key. This is done by exploiting the fact that the wiretapper's 
channel is "noisier" than the legitimate user's channel. 

Since perfect secrecy may not be achievable over the 
wiretap channel for short block-lengths, Wyner introduced 
the asymptotic notion of weak secrecy. If Z n is the length- 
n symbol vector received by Eve, weak secrecy is said to be 
achieved if the rate of information leakage -I(S; Z n ) vanishes 
as n — > oo. The authors of J2j, |3] calculated the secrecy 
capacity of the respective channels under the weak secrecy 
condition. A shortcoming of weak secrecy is that the amount of 
leaked information can be unbounded even if the rate at which 
it is leaked goes to zero. Maurer and Wolf p) highlighted 
this shortcoming and introduced the notion of strong secrecy, 
which requires that the total amount of leaked information 
1(5; Z n ) must vanish as n — > oo. Though the strong secrecy 
condition is more stringent, it does not reduce the secrecy 
capacity (4), (5). 

In this paper, we consider the binary erasure wiretap chan- 
nel (BEWC) model, where Bob's channel is noiseless and 
Eve's channel is a binary erasure channel (BEC). Note that 
this wiretap model is also called a "binary-erasure-channel 
wiretap" (BEC-WT) ^ in literature^] The BEWC model is 
important because other wiretap scenarios can be modeled 
based on the BEWC. For example, the scenarios with a 
noiseless main channel and a binary symmetric or an additive 
white Gaussian noise wiretap channel can be modeled [6] 
as degraded BEWCs. Moreover, the Erasure Decomposition 
Lemma [ flO] Lemma 4.78] lets us model wiretap systems 
with a noiseless main channel and an arbitrary binary-input 
memoryless symmetric -output wiretap as degraded BEWCs. 
We employ the forward coding approach to achieve secrecy on 
our wiretap model. Other approaches, like the ones in Q, fTT) , 
use public discussion on authenticated channels in addition to 
communication on the wiretap channel to achieve secrecy on 
the overall system. 

In p2) , Thangaraj, et al. proposed using the duals of low- 
density parity-check (LDPC) codes in a "coset coding scheme" 
(2), (7) to achieve weak secrecy on the BEWC. They showed 

'Liu, et al. (Sj considered a generalized version of our BEWC model where 
there is a binary-input memoryless symmetric-output wiretap, and called it 
a type-II wiretap model. The original type-II wiretap model introduced by 
Ozarow-Wyner [7] has a noiseless main channel with a fixed number of 
transmitted bits revealed to the eavesdropper. The eavesdropper is also able 
to choose which bit locations are revealed to her. These two wiretap models 
are different — in [6], the wiretapper's channel is memoryless, whereas in 
j7j it is not. 

I n (6) , the BEWC model is called a BEC-WT. Contrastingly, Rathi, et 
al. [8J, (5] use BEC-WT to denote the wiretap model with a BEC main 
channel and an independent BEC wiretapper's channel. 
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that this scheme achieves weak secrecy over BEWC(£) for 
£ > 1 - e t h, where e t h is the BEC threshold of the LDPC 
code ensembles under message passing (MP) decoding. As an 
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extension to this result, Suresh, et al. [13] showed that strong 
secrecy on the BEWC can be achieved using the duals of 
short-cycle-free LDPC codes in the coset coding scheme. They 
first show that a sufficient condition for strong secrecy is to 
have the MP block-error probability decay as C(l/n 2 ). Using 
a stopping set based analysis, they prove that short-cycle-free 
LDPC code ensembles satisfy this condition. Specifically, they 
show that strong secrecy is achieved on BEWC(£) for £ > 1 — 
e c f , where e c f is the lower bound on error- floor of LDPC codes 
defined in fl4) . Since e e £ < e t h, there is a gap between the 
strong and weak secrecy thresholds for finite-girth ensembles. 
The work presented in this paper is based on the LDPC code 



based coset coding scheme of |12|, [13]. We show that the 
duals of "large-girth" LDPC codes achieve strong secrecy on 
the BEWC with no gap between the strong and weak secrecy 
thresholds. We do this by first analyzing the asymptotic 
behaviour of the bit-error probability estimate given by density 
evolution as the number of iterations increases mono tonic ally. 
We then construct irregular Tanner graphs for arbitrary degree 
distribution pairs such that the girth of these graphs increases 
logarithmically in the number of vertices. This construction, 
which can potentially create disconnected Tanner graphs, is 
based on the large-girth regular Ramanujan graphs constructed 
by Lubotzky, et al. |15| . We show that the LDPC codes based 
on our graphs have a bit-error probability that closely follows 
the density evolution estimate for increasing iterations. This 
property, together with the logarithmic increase in the girth of 
the underlying graphs, guarantees that the duals of our LDPC 
codes will achieve strong secrecy on the BEWC. 

In recent work |16|, [17], polar codes have been suggested 
as methods for approaching the secrecy capacity of general de- 
graded and symmetric wiretap channels, of which the erasure 
wiretap channel is a special case. However, since the threshold 
phenomenon of LDPC codes is observed at shorter block- 
lengths than polarization, there is enough interest in studying 
the strong secrecy properties of LDPC code ensembles. Also, 
the mechanism of security using polar and LDPC codes is 
different. Security of polar codes is proved using the capacity- 
approaching properties of these codes. In the case of LDPC 
code ensembles over erasure wiretap channels, we use the 
duals of codes with a threshold property that need not be close 
to capacity. 

This paper is organized as follows. In Section [II] we give 
a brief introduction of the channel model and the coset 
coding scheme, and relate the strong secrecy condition to 
the bit-error probability of the duals of the codes used in 
the coset coding scheme. In Section [HI] we give a brief 
overview of the density evolution analysis for LDPC codes 
and state the result regarding the double exponential decay 
of the density evolution bit-error probability estimate as the 
number of iterations increases. We then show that this result 
translates to strong secrecy on the BEWC using the duals of 



large-girth regular LDPC codes. In Section IV we provide a 
quick overview of existing constructions for graphs with good 
girth. We then describe our construction of large-girth graphs 
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Fig. 1. The binary erasure wiretap channel model. 

and prove that the duals of the resulting LDPC codes achieve 
strong secrecy. 

II. Coset Coding Scheme and Strong Secrecy 

We consider the binary erasure wiretap channel (BEWC) 
model introduced in p2| , which consists of two legitimate 
parties, Alice and Bob, and an eavesdropper, Eve (Fig. [TJ. 
The channel from Alice to Bob is noiseless and Eve sees the 
bits sent to Bob through a binary erasure channel (BEC) with 
erasure probability £. 

Prior to transmission, Alice and Bob publicly agree on a 
(n, n(l — R)) binary linear code C. For each possible value 
s of the nR bit secret vector S, we associate a coset of C 
given by C(s) = {x™ <E {0, 1}™ : x"H T = s}, where H is 
the parity check matrix of C. Note that all the vectors in this 
paper are assumed to be row vectors. To convey the message 
S to Bob, Alice picks a vector X n from one of the 2 n ( 1 ~ RS> 
vectors of C(S) at random and transmits it over BEWC(£). 
Bob obtains the secret message from the received vector by 
calculating X n H T . 

The amount of information that is leaked to Eve through 
her observation Z n can be bounded fL3| as 

l(S;Z n ) <nRPg AP (jC ± ,l-{) 

where Pg AP (C 1 - , 1 — £) is the block-error probability under 
maximum a posteriori (MAP) decoding of the dual code C 1 - 
transmitted over BEC(1 — £)■ A weakened form of this upper 
bound can be obtained by substituting pj^ AP with P^ p , 
the block-error probability using the message passing (MP) 
decoder with infinite number of iterations. 

The security condition on a sequence of encoding schemes 
of increasing block-length n and a constant rate R to achieve 
strong secrecy on a wiretap channel is 

I(S; Z n ) -> as n -> oo 



Lemma 1 (adapted from 1 13 Corollary 1]). If (C^) is 
a sequence of binary linear block codes of rate R with 
increasing block length n such that for some a > 1, 



PjP(Cl-£) = G 



1 



then strong secrecy is achieved on BEWC(^) when the dual 
sequence (C n ) is used under the coset coding scheme. 

We use the standard order notations O, o, 8, uj and 
il as defined in fl8| . From Lemma [T] it is clear that the 



3 



sequence (C n ) achieves strong secrecy on BEWC(£) if the 
dual sequence has 

Using the union bound on the block-error probability, 

where P b MP is the bit-error probability using the MP decoder. 

Corollary 2. If a sequence (C„) of binary linear codes with 
increasing block length n and rate 1 — R is such that the dual 
sequence (C^) has a bit-error probability such that 

A MP (C,i-0 = o(^) 

then strong secrecy is achieved on BEWC(^) when (C n ) is 
used under the coset coding scheme. 

III. Asymptotic Behaviour of the BEC Density 
Evolution Formula 

The asymptotic behaviour of the bit-error probability of 
LDPC codes under MP decoding can be tracked using density 
evolution [ 10, Sec. 3.9]. The main result of our paper is based 
on the asymptotic behaviour of the BEC density evolution 
expression as the number of iterations goes to infinity. Since 
density evolution gives only an approximate value of the bit- 
error probability and our ultimate aim is to study the asymp- 
totic behaviour of the bit-error probability, it is important to 
understand where and how approximations are made in density 
evolution. 

A. Density Evolution Analysis - a Background 

Let H n be an arbitrary ensemble of Tanner graphs with n 
variable nodes. Suppose a graph G is selected uniformly at 
random from H n and a random codeword from the associated 
block code is transmitted over BEC(e). The receiver, with the 
knowledge of G, tries to decode the transmitted word using the 
MP algorithm. For a family of ensembles (W n ) with increasing 
n, let 

• x(t,n) = the probability that a randomly selected edge 
in the Tanner graph transmits an erasure message from 
its variable node to its check node at the t th iteration 

• y(t, n) — the probability that a randomly selected code- 
word bit is unknown after t iterations 

1) Computation Graphs ^70| Sec. 3.7.1]: To evaluate 
x(t, n) and y(t, n) explicitly, the computation graphs asso- 
ciated with the Tanner graph ensemble may be considered. 
Suppose a graph G is selected from H n uniformly at random 
and a random edge e is picked from G. Let v be the variable 
node connected to e. The level-i edge-rooted computation 
graph C t of H n is defined as the subgraph obtained by 
traversing from v up to iteration depth t in all directions except 
along e. Ct is a random graph whose distribution depends 
only on t and T-L n . Also, x(t,n) can be uniquely determined 
given the possible realizations of Ct and their probabilities 
(regardless of what H n is). 




Fig. 2. An example of a level-2 decoding neighbourhood tree. 

To evaluate y(t,n), the level-i node-rooted computation 
graph Ct, defined subsequently, may be considered. As before, 
a graph G is selected from H n uniformly at random. Then, a 
random variable node v is picked from G. Ct is defined as the 
subgraph obtained by traversing from v up to iteration depth 
t in all directions. Like Ct, Ct is also dependent only on t and 
T-L n - y(t,n) can be uniquely determined given the possible 
realizations of C t and their probabilities (again, regardless of 

H n ). 

2) Tree Ensembles / [70] Sec. 3.7.2]: While studying the 
error-correcting performance of LDPC codes, the codes corre- 
sponding to the socket permutation ensemble of Tanner graphs, 
denoted by Q(n, A, p), are usually considered. The graphs in 
this ensemble contain n variable nodes, whose degrees are 
determined by the degree distribution polynomial X(x) = 
J2i where Xi is the fraction of edges that are connected 

to degree-i variable nodes. The check-node degree distribution 
is determined by the polynomial p(x) = J2j Pj x ^~ X , where 
Pj is the fraction of edges connected to degree-j check nodes. 

In the classical setting, T-L n = Q(n,X,p) is considered, 
and x(t, n) and y(t, n) are analyzed while keeping t fixed 
and letting n grow monotonically. The possible computation 
graphs of G(n, A, p) are not cycle-free and hence enumerating 
them is cumbersome. Doing an exact analysis of the bit- 
error probability y(t, n) for this ensemble is therefore difficult. 
Density evolution resorts to an approximate analysis by con- 
sidering tree ensembles, which are asymptotic approximations 
of computation graphs. 

The node-rooted tree ensemble % is an approximation of 
the computation graph Ct of Q(n, X, p). % is a random graph 
which takes all possible level-t decoding neighbourhood trees 
permitted by (A, p) and it is generated by the following rules. 

• The degrees of all nodes are chosen independently. 

• The root variable node has degree i with probability Li, 
where Li is the fraction of degree-i variable nodes in 
G(n,X,p). 

• All the leaf variable nodes have degree one. 

• All other variable nodes have degree i with probability 
A,. 

• Check nodes have degree j with probability pj. 

The edge-rooted tree ensemble %, which is an asymptotic 
approximation of Ct, is defined in a similar manner, except 
for the fact that the root variable node has degree i with 
probability A,+i. 

Suppose the block code corresponding to the Tanner graph 
Tt is transmitted over BEC(e). The probability that the root 
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node is unknown after t iterations of the MP decoder, denoted 
by xt, is given by the recursive equation 

x t = eA(l - p(l - x t -i)) =: f(e, x t -i) 

with x = e. The threshold e t \\ is defined as the supremum of 
all values of e for which the sequence (xt) converges to zero. 

For the ensemble Tt a similar probability y t may be defined. 
We will have 

yt = tL{i - p{i - x t -i)) 

where L(x) = J2i ^iX 1 is the degree distribution polynomial 
from the node perspective. 

B. Density Evolution - Asymptotic Behaviour 

It is a well-known result that x t and y t exhibit a double- 
exponential decay as t goes to infinity for e < eth- A proof 
of this result for regular codes is provided in p9) Sec. V- 
A]. For the sake of completeness, we state the more general 
result for irregular codes and provide an alternative proof (see 
Appendix [A]) involving mathematical induction. 
Lemma 3. For a distribution pair (A, p) with minimum 
variable node degree Z m ; n > 3 and e < e t h, we have 

x t ,y t = 0(exp(-f3(l min --l) t )) (1) 

as t — > oo, where (3 > is a constant. 

It is important to note that a similar double exponential 
decay result is not true for DDPs that have degree-2 variable 
nodes. Working out the expressions for this case, we can 
see that x t (and y t ) exhibits only an exponential decay in 
the number of iterations. Note that xt is the expectation of 
the root-node bit-error probability taken over the possible 
outcomes of T ■ The dominating term in this expectation is 
the contribution of the worst-case trees, namely, the trees 
that contain only variable nodes of the least degree. DDPs 
with degree-2 variable nodes form a special case where the 
contribution by the worst-case trees decays only exponentially. 

C. Asymptotic Decay of Bit-Error Probability 

Suppose we are given a DDP (A, p) with ^ m ; n > 3. For 
k = 1,2,3,.. ., let (nfc) be a strictly increasing sequence of 
positive integers and let t% be such that 

= Hog log n k + log a - log f 

l0g(Z min - 1) 

for any positive integer a. This means that y tk = O (l/n£). 
In particular, we have y t — O (l/n 3 ) for a — 3 (we drop the 
subscript k for convenience). Since y t is only an approxima- 
tion of y(t, n), this does not necessarily mean that the actual 
bit-error probability y(t,n) itself decays as C(l/n 3 ). 

Our ultimate aim is to prove an information-theoretic result 
and this requires rigorous mathematical proofs. There are only 
a few rigorous results regarding the "closeness" of the density 
evolution approximation. For example, we know the following 
results 

. For G(n,\,p) 

lim x(t,n) = x t , lim y(t,n) = y t 



as long as t remains constant 1 1 , Thm. 3.49]. 

• The "exchange of limits" result by Korada-Urbanke |20|. 

To achieve strong secrecy, we must find some ensemble 
T-L n for which y(t,n) = 0(l/n 3 ), where t is growing with 
n at least as fast as log log n. In general, this is not true for 
G(n,X,p). For example, any irregular DDP with Z m j n = 3 
does not satisfy y(t,n) = 0(yt) any e > (see [14, Thm. 
16]). 

1 ) Strong Secrecy on the BEWC Using Large-Girth Regular 
LDPC Codes: Let Q g (n,X,p) denote the subset of Tanner 
graphs in G(n,X,p) whose girth is at least g. Clearly, the 
level-i computation graphs of G4t+2(n, A, p) are cycle free. 
This means that any possible outcome of Ct is also a possible 
outcome of Tt- This does not necessarily mean that Ct and Tt 
are identically distributed and therefore, y(t,n) — y t is not 
necessarily true for G4t+2(n, A,p). 

The regular LDPC code ensemble Gu+2{n, x^ 1 , x^ 1 ) is 
a special case for which C t and % are equal to a unique tree 
T. Since y(t, n) is calculated from Ct in the same way as y t 
is calculated from Tt, we have y(t,n) — y t . Using a similar 
reasoning, we can also say that x{t,n) = x t . 

In essence, density evolution analysis is approximate be- 
cause it makes the following assumptions. 

1) The decoding neighbourhood is a tree 

2) The degrees of the nodes in the decoding tree can be 
chosen independently. 

For large-girth Tanner graphs, the first assumption is justified. 
However, the second assumption is not justified for large- 
girth irregular Tanner graphs. For large-girth regular Tanner 
graphs, there is a unique decoding neighbourhood with only 
one choice for variable-node degrees and only one choice for 
check-node degrees, which means that the second assumption 
is also justified. Therefore, we are able to assert that the density 
evolution estimate is exact in the case of large-girth regular 
LDPC codes, but are unable to do the same for the irregular 
counterpart. 

Assume that there exists a sequence (C„) of (c, d)-regular 
LDPC codes with c > 3 such that their Tanner graphs have 
girth at least At + 2 with 

[log log n + log 3 — log /3 

t= log(c-l) 

(The existence of such codes will be proved in the next 
section). For these codes, we have 

Pr(C^,e,t):=y(t,n)=y t (2) 

for e < e th . Here, P h MP (C^, e, t) denotes the bit-error 
probability after t iterations. By the above equation, the dual 
sequence (C n ) will achieve strong secrecy on BEWC(£) for 
f > 1 - eth- 

IV. Large-Girth Graphs 

A. Existence of Large-Girth Graphs 

For our scheme to achieve strong secrecy, we require a 
sequence of regular bipartite graphs whose girth increases 
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Fig. 3. An illustration of Algorithm ^ to create bipartite graphs. 



faster than log log n, where n is the number of vertices. 
We define a sequence of large-girth graphs as one with a 
prescribed degree distribution whose girth increases as logn. 
These large-girth graphs satisfy the girth condition required for 
strong secrecy. The existence of these graphs is related to the 



problem of cages [21] in graph theory. A ^-regular (simple) 
graph is one where each vertex has exactly v neighbours. A 
(v, g) cage is a vertex minimal ^-regular graph of girth g. 
Erdos and Sachs p2) showed that cages exist for all v > 3 
and g > 3. For a given v > 4, let (R g ) g ^ be a sequence of 
(y, g) cages in n(g) vertices. From the upper [23] and lower 
p2) lower bounds on n, we have g = 9 (logn). This means 
that (R g ) is a sequence of large-girth graphs. Since cages are 
not necessarily bipartite and we require a sequence of large- 
girth bipartite graphs, we make use of Algorithm [T [24, Sec. 
3.1]. For convenience, we denote the operation performed by 
this algorithm by B(-). 

Algorithm 1 Construction of a bipartite graph given any graph 

Igg) Sec. 3.1], 

1: Given a graph G in n vertices, create an identical copy 
G with V(G) n V{G') = 0. Let / : V{G) -> V{G') be 
a graph homomorphism. 
2: Create a graph H with vertex set V(H) = V(G) U V(G') 
and edge set E{H) = {{x,y} : x G V(G),y G 
V(G'),f(x) ~ yinG'}. That is, if ai ,b x G V(G), 
a 2 = f(a>i), b 2 = f(bi) and a\b\ G E{G) (or equiva- 
lently, if a 2 b 2 G E(G')), then aib 2 ,a 2 bi G E(H). 



Lemma 4. Given a graph G, if H = B(G) then g(H) > 
9(G). 

Proof: For any cycle C in H with the vertices in the order 
(uo, Vo, u\,Vi, . . . , u r -i,v r -i, uq) there exists a closed walk 

W = (uo,/ _1 (wo),'«l,/^ 1 (wi), . . . ,« r -l, / -1 (u r -l.),Uo) 

in G. Note that r > 2. W can either contain a cycle, or it can 
be a path tracing itself back after some point. We show that 
this closed walk has a cycle. 

Suppose this closed walk does not have a cycle. Then, with- 
out loss of generality, we can assume that it traces itself back 
at some point Uj. Therefore, the sequence u i: u^, mo d r 



is such that itj = Ur-j+i 



(z+l) mod v 



This is a contradiction since 



all the vertices in the original cycle are distinct and r > 2. 



Therefore, W contains a cycle C*. We have 

length(C) > length(C*) > g(G) 

which proves that g(H) > g(G). Note that the second 
inequality in the above equation follows from the fact that 
C* is a cycle in G. ■ 

By the above lemma, (B(R g )) ge -^ is a sequence of large- 
girth ^-regular bipartite graphs. Using this sequence, it is pos- 
sible to construct (see Algorithm |4]l large-girth (c, d) regular 
Tanner graphs for arbitrary c, d. 

However, it should be noted that there is no standard con- 
struction of (v, <7)-cages that works for all v and g. Moreover, 
the structures of cages for v > 20 or for g > 15 are not 
currently known. Though the existence of cages proves the 
existence of large-girth regular LDPC codes, it does not result 
in a generalized construction algorithm for these codes. In the 
later sections, we will construct large-girth LDPC codes from 
large-girth graphs that are not necessarily cages. 



B. Existing Constructions for Tanner Graphs With Good Girth 

A construction of regular large-girth LDPC codes was 
proposed by Gallager in his monograph [25 Appendix C]. 
The progressive edge growth (PEG) algorithm [26 1 constructs 
LDPC codes with a prescribed left (variable-node) degree 
distribution and rate. Though empirical evidence shows that 
PEG creates codes of good girth, we are unable to prove that 
they are large-girth codes. A PEG-like algorithm to construct 
almost regular large-girth graphs was proposed in (27). A 
modification of this algorithm to create almost (c, d)-regular 
large-girth LDPC codes was published as the Almost Regular 
large-Girth (ARG) algorithm [28 1. Though ARG creates large- 
girth LDPC codes, it cannot be used to create LDPC codes 
for a pre-defined DDP 

Based on the large-girth regular graph construction in p9) , 
| |30| , Kim, et al. |[3T) constructed large-girth regular LDPC 
codes of rate 1 jq, for any prime power q. In other work, Mar- 
gulis [32 1 constructed 2r-regular large-girth graphs and based 
on his idea, Rosenthal and Vontobel [33) constructed large- 
girth (3, 6)-regular LDPC codes using the algebraic structure 
behind the construction of Ramanujan graphs proposed by 

It can be noted that the above constructions produce only 
large-girth LDPC codes of specific rates and specific (regular) 
degree distributions. On the other hand, the construction 
described in the next section produces large-girth graphs of 
arbitrary rates and degree distributions. 

C. Proposed Construction of Large-Girth Graphs 

The adjacency matrix of a simple graph with n vertices is 
an n x ft matrix [aij] such that aij = 1 whenever vertices i 
and j are adjacent, and a^j = otherwise. We consider the 
eigenvalues of the adjacency matrix. For a fc-regular graph, 
any eigenvalue u is such that < k. A Ramanujan graph is 
a fc-regular graph such that if \i is an eigenvalue and ^ k, 
then < 1\]k — 1. For a detailed discussion of Ramanujan 
graphs, see the book Davidoff, et al. [34|. 
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Lubotzky, et al. [15] provided a Cayley graph based con- 
struction of certain Ramanujan graphs. For primes p and q, 
they construct a family of graphs X p - q with the following 
properties. 

Theorem 5 ( p4) Thm. 4.2.2]). Let p, q be distinct, odd primes, 
with q > 2^/p. The graphs X p ' q are (jp + l)-regular graphs 
that are connected and Ramanujan. Moreover, 

1) If p is a quadratic residue modulo q, then X p,q is a 
non-bipartite graph with q ( q ~^ vertices, satisfying the 



girth estimate 



g(X™)>21og p q 



2) If p is a quadratic non-residue module q, then X p ' q is 
a bipartite graph with q(q 2 — 1) vertices, satisfying 

g(X™)>4hg p q-log p 4 

For our purposes, we will not be using the Ramanujan 
property of the graphs X p ' q ; we will merely use the above 
lower bounds on the girth. 

When p is a quadratic residue modulo q, we can use the 
construction in Algorithm [I] to generate a bipartite (p + 1)- 
regular graph in q(q 2 — 1) vertices with girth at least 2 log p q. 
Using Algorithm [T] we now have the following corollary. 

Corollary 6. Given a prime p, for any n G N it is possible to 
construct a (p+l)-regular bipartite graph in q(q 2 ~l) vertices 
with girth at least 2 log p q for some prime q > n based on the 
construction of Lubotzky, et al. 

We would like to construct fc-regular bipartite graphs of 
large girth where k is some arbitrary natural number, i.e., it is 
not necessarily the successor of a prime number. We do this 
as follows. We first find an integer s such that sk — 1 is a 
prime number, say p. The existence of s (and p) is guaranteed 
by the following. 

Theorem 7 (Dirichlet's Theorem on Arithmetic Progressions 
1 35 Chapter 7]). Given two positive integers a,b that are 
relatively prime, i.e., gcd{a,6} = 1, the sequence (an + 6) n gN 
contains an infinite number of primes. 

Corollary 8. Given any positive integer k, it is always possible 
to find s £ N such that sk — 1 is a prime. Moreover, there are 
infinite such s. 

Proof: It can easily be seen that gcd{fc, k — 1} = 1. 
Therefore, there are infinite prime numbers of the form rk + 
(k — 1), where r g N. Therefore, there are infinite prime 
numbers of the form sk — 1, where seN. ■ 

Now, we know that for any arbitrary natural number k, we 
can create a family of sfc-regular graphs of large girth for some 
natural number s. Using this family, we can create a family 
of large-girth fc-regular graphs by using Algorithm [2] 

In this paper, we will only consider the creation of equal 
sized partitions iVj in Step [T] of Algorithm [2] Under this 
restriction, the partitioning of N(v) can be done in two 
different ways. 

• Deterministic version. We assume that the edges in the 
graph G are in some simple ordering (ei, e2, . . . , Cm)- If 




0, 2 



)9 



iVi 



Fig. 4. An illustration of Algorithm [5] to split a vertex. 

Algorithm 2 Splitting a vertex into vertices of smaller degrees. 
1: Given a vertex v in a graph G, we partition the set of all 

its neighbours N(v) into N\, N2, . . . , Nk- 
2: We create a new graph H by deleting v from G and 

adding new vertices ui , 1)2, ■ ■ ■ , Vk and connecting u,; to 

the vertices in TV, for all i. 



N(v) = {e^e^,. . . ,e ijk } with it < i 2 < ■ ■ ■ < ij, let 
Ni = {e^ , e i2 , . . . , e ik } 

N2 = {Si k + 1 , £i k+2 i • ■ • i e i 2 k } 

and so on. 

• Random version. The partitioning of N(v) is done in a 
random fashion. 
Though the girth properties of the graphs obtained by the 
deterministic and the random versions of Algorithm [2] are 
similar, it is easier to count graphs of a particular configuration 
when we use the deterministic version than when we use the 
random version. 

Lemma 9. Given a graph G, if H is a graph obtained by 
splitting an arbitrary vertex of G according to either version 
of Algorithm^ then g(H) > g(G). 

Proof: Suppose H does not have any cycles. In this case, 
g(H) = 00 and the lemma is true. 

We are now left with the case where H has cycles. Consider 
any cycle C in H. Let v be the vertex of G that is being split 
and let V ncw — {v±, V2, ■ ■ ■ ,i>/s} be the set of new vertices 
created. By traversing along C and identifying vertices Vi with 
v, we will get a closed walk W in G. We show that W contains 
a cycle. 

If C has less than two vertices from the set V nev/ , then W 
is a cycle and we are done. Otherwise, C has at least two of 
these vertices. We can pick Vi,Vj such that while traversing 
from one to the other along C, we don't encounter any other 
vertices from V ncw . Let this path (excluding Vi, Vj) be denoted 
by P. Since m and vj are not adjacent and N(vi)DN(vj) = 0, 
this path has at least two vertices. Therefore, vPv is a cycle 
C* in W that is smaller than C. Since G contains the cycle 
C* , we have 

length(C) > length(C*) > g{G) 

which shows that g(H) > g(G). ■ 
Note that Algorithm [2] can sometimes create a disconnected 
graph. That is, H may be disconnected even if G is connected. 
However, we can see that Lemma [9] is valid regardless of any 
disconnections introduced by node splitting. Furthermore, the 
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proof of our main theorem relies only on Lemma [9] and is 
valid even though some of the Tanner graphs in our ensemble 
may be disconnected. 

Algorithm 3 Constructing large-girth fc-regular bipartite 
graphs. 

1: Given a positive integer fc, find the smallest solution for 
s 6 N such that sk — 1 is a prime. The existence of 
s is guaranteed by Dirichlet's Theorem on Arithmetic 
Progressions. Denote sk — 1 by p. 

2: Pick a sequence of primes greater than 2^/p. For each 
such prime q, generate the graph X v - q described in fT5) . 

3: If p is a quadratic residue modulo q, then G = B(X p ' q ). 
Otherwise, G = X' p > q . In either case, G is an (sfc)-regular 
bipartite graph on q(q 2 — 1) vertices and g(G) > 21og p g. 

4: Split each vertex of G successively into s vertices of 
degree k according to either version of Algorithm [2] Call 
this new graph H. 

5: H is a fc-regular bipartite graph with sq(q 2 — 1) vertices 
mdg(H) > 5 (G) > 2 log p q. 



Algorithm 4 Constructing large-girth (c, d)-regular bipartite 
graphs. 

1: Let k — LCM{c, d}. Construct a sequence of fc-regular 
bipartite graphs of large girth according to Algorithm [3] 

2: Given a fc-regular bipartite graph G with sq(q 2 — 1) 
vertices and g(G) > 2 log p q, let (V s , V c ) be the bipartition 

of the vertices. We have |V S | = \V C \ = sg( ^~ x) . 
3: Split each vertex in V s into fc/c new vertices of degree 
c each according to either version of Algorithm [2] to get 



— i) left vertices of degree c. 

c 2 ° 

4: Split each vertex in V c into k/d new vertices of degree 
d each according to either version of Algorithm [2] to get 
k sq(q -i) jjgjjj. ver i;i ces f degree d. The resultant graph 
H is a (c, d)-regular bipartite graph with g(H) > 2 log p q. 



D. Strong Secrecy Using Irregular LDPC Codes Based on 
Ramanujan Graphs 

For a given DDP (A, p), we can create a sequence of large- 
girth (A, p) -irregular LDPC codes (C„) of increasing block- 
length n using Algorithm [5] We denote the large-girth graphs 
associated with C n by 7Z n . 

Theorem 10. For a given DDP (A, p) with minimum left 
degree Z m j n > 3, the sequence of large-girth (A, p)-irregular 
LDPC codes (C n ) created using Algorithm [5] is such that 
whenever e < eth we have 



EP b MP (C„,e) =0(exp(- Cl n C2 )) 
for some positive constants C\ 1 C2- 



(4) 



Proof: See Appendix [B] ■ 
The asymptotic decay of the bit-error probability achieved 



by the codes in Thm. 10 is faster than the inverse cubic decay 



Algorithm 5 Constructing large-girth (A, p) irregular bipartite 
graphs. 

1: Let fc be the least common multiple of all the left and 
right degrees. Let a be the smallest positive integer such 
that a\i, apj € N for all 

2: Let s be the smallest natural number such that sak — 1 
is a prime number. Call this prime number p. Choose 
an arbitrarily prime q > 2^/p. Construct an (afc) -regular 
bipartite graph Go according to Algorithm [3] Go has 
sq(q 2 — 1) vertices and g(Go) > 21og p <7. 

3: Split each vertex of Go into a vertices of degree fc by 
successively applying Algorithm [2] (either version) and 
denote the resulting fc-regular bipartite graph by G. G has 
no vertices on the left and no vertices on the right, where 
no = asq( {- 1 \ and g(G) > 2 log p g. 

4: Let (vi,v 2 , ■ ■ ■ , v ng ) be some ordering of the "left" ver- 
tices in G and let (ci, o%, . . . , c„ ) be some ordering of 
the "right" vertices in G. Also, let (ei, . . . , e no k) be 
some ordering of the edges in G. 

5: Let a and it be two randomly chosen permutation func- 
tions over the set {1,2,..., n }. 

6: Consider the ordered set (v[, v' 2 , ■ ■ ■ , v' no ), where v\ — 
v a ^y In this ordered set, 

• split the first noA/ min vertices into nofcA; min /7 m i n 
vertices of degree Z m j n , 

• split the next noA; min +i vertices into 
n o^Ai min+ i/(Z min + 1) vertices of degree 

• ■ • ■ 

• split the last n.oA; max vertices into nofcA; max /i max 
vertices of degree Z max . 

In the above, we split the vertices according to the 
deterministic version of Algorithm [2] 
7: Do a similar operation for the check nodes using the 
ordered set (c' 1} d 2 , . ■ ■ , c' no ), where c'j = c^{j), and the 
distribution p. The resulting graph H is a (A, p) irregular 
bipartite graph with 

n= aA*g(g»-l) Xdx 
vertices and girth at least 2 log p q. 



required for strong secrecy. This directly implies that the duals 
of our Ramanujan graph LDPC codes achieve strong secrecy 
on the BEWC under the coset coding scheme. 



E. Discussion 

For a given DDP (A,p), we have constructed a sequence 
(G„) of large-girth LDPC codes based on Ramanujan graphs. 
For minimum left degree at least three, we showed that for 
e < eth, we have 

EP b MP (C„,e) = 0(exp(-/?n al °s^^ 1 ))) 

By Corollary [2] the dual sequence (C^) achieves strong 
secrecy on BEWC(£) for £ > 1 — e t h- 
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1) Difference Between Regular and Irregular Codes: For 
any large-girth regular LDPC code sequence (C n ), we have 

Ff p (C n ,e) = O (expC-^n 010 ^" 1 ))) 

for e < e t h- This means that the dual sequence achieves strong 
secrecy on BEWC(£) for £ > 1 — eth- 

For irregular codes constructed by Algorithm |5j we have 
shown that 

E (Pf p (C n ,e)) = O (expt-/^ 010 ^™- 1 ))) 

for e < e t h- This means that on an average, the dual sequence 
achieves strong secrecy on BEWC(£) for £ > 1 — eth- 
Moreover, most codes in the dual sequence are concentrated 
around this average strong secrecy property. This is because 
the Markov inequality guarantees that, with probability tending 
to 1, any LDPC code from the ensemble will have probability 
of bit error smaller than ^ (for any positive integer k). 

Our result for regular LDPC codes is stronger than that 
that of irregular LDPC codes. However, irregular LDPC codes 
are important because they have 1 — e t h very close to their 
rate. Therefore, irregular codes are instrumental in achieving 
a secrecy rate very close to the BEWC secrecy capacity. 

2) Gap Between Achievable Region and Secrecy Capacity: 
For a secret information rate R, we are interested in the 
minimum value of Eve's erasure probability e for which we 
can ensure strong secrecy over the BEWC using our scheme. 
Since our proof works only for i m i n > 3, this involves finding 
an optimal DDP of rate R and Z m i n > 3 for which the BEC 
threshold e t h is as high as possible. It can be noted that 
e t h < 1 — R- Most of the capacity achieving DDP sequences 
require Z m ; n = 2 (e.g., the tornado sequence and the right 
regular sequence in f36|). Therefore, there is a small gap 
between the strong secrecy rate achievable by our technique 
and the secrecy capacity of the BEWC. 

For example, when we performed a search using the LDP- 
COPT online tool |37| for R = 0.5 and Z m j n > 3, we found 
that the maximum value of e t h = 0.4619 is achieved by the 
DDP 

\{x) = 0.9043388a; 2 + 0.03300419a; 16 + 0.01434268a; 17 
+ 0.03535427x 18 + 0.01296008a; 99 

p{x) = x 10 

This means that the duals of the LDPC codes constructed using 
Algorithm [5] will achieve a strong secrecy rate of 0.5 over 
BEWC(e) for all e > 0.5381. Note that for e close to 0.5381, 
the secrecy capacity of the BEWC is close to 0.5381. Our 
coding scheme will achieve a secrecy rate of 0.5 over this 
channel, which is 7% less than the secrecy capacity. 

V. Conclusion and Future Directions 

In this work, we have constructed LDPC codes whose girth 
increases logarithmically in block-length using Ramanujan 
graphs. In contrast to existing large-girth constructions, our 
construction works for arbitrary irregular degree distribution 
pairs. To our knowledge, this is the first such construction. We 
have shown that the duals of these LDPC codes achieve strong 



secrecy on the binary erasure wiretap channel (BEWC), when 
their minimum left degree is at least three. To achieve secrecy 
capacity on the BEWC, we require LDPC code ensembles 
with degree-2 variable nodes. Since our current proof does 
not apply to these codes, we must look for new techniques 
to analyze them. A multiedge-type construction, similar to the 
approach of ||8), (9), might be required to achieve secrecy 
capacity on the BEWC. 

In addition, the Ramanujan graph ensemble is interesting in 
the general area of LDPC coding even without the secrecy ap- 
plication. In particular, one can show (through the relationship 
between the girth and the stopping distance) that the minimum 
distance of these codes grows at least as n b , for some b such 
that < b < 1. Further properties of this construction could 
be explored in future work. 

Appendix A 
Proof of Lemma[3] 

For any x € [0, 1], we have 

(1 -xf- 1 > 1 - (d- l)x, VdeN 

r max 

=> P (i - x) = J2 Mi - x)*- 1 

d=2 

> J2(l-(d-l)x) Pd 

d=2 

= 1 - (»'avg - 1)X 

=> 1 - p(l - x) < (r avg - l)x 

where r avg is the average check-node degree and r max is the 
maximum check-node degree. For < (r avg — l)x < 1, 

/( e ,aO = eA(l-p(l-aO) 

a 

< eA((r avg - l)x) 

'max 

= e £ Xi((r avg - l)*)'" 1 

b /max 
i=imin 

=> /(e, x) < e((r avg - l)^"""- 1 =: g(e, x) (5) 

Note that (a) follows from the monotonicity of A(a;), and (b) 
follows from the given condition < (r avg —l)x < 1. To make 
the notation easier, let us denote A = e(r avg — l)'™- 1 . Since 
we are operating in the region e < e t h where (x t ) converges 
to zero, there exists an R such that Ax l g ia " 2 < 1 and (r avg — 
1)%r < 1- The first inequality will be used later in the proof. 

Let us construct a sequence zr+^+i = g(e, zn + i) with zr = 
xr. It is immaterial what z, takes when i < R. We then claim 
that XR + i < ZR+i for any non-negative integer i. We can 
prove this by induction. The base case is when i = and it 
is true by our choice of Zr. Assuming the claim is true for 
some integer i > 0, we have 

XR+i+i = f(e,x R+i ) < g(e,x R+i ) < g(e,z R+i ) = z R+i+1 
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The first inequality is due to Eqn. |5]) and the second inequality 
is due to the monotonicity of g and the induction hypothesis. 
This proves the claim. 
We have, 

A imto-l 

zr+i = AzS 1 ' 11 



ZR+, 



= yl l + (J„ 11 „-l) + (i ml „-l) 2 +-+(i„ li „-l) l - 1 z ('m 1 „-l) 1 

R 



(i min -i)'-i 



A 1 
A 



-R 



n~' (A^^Xr^ 



(i ml »-l) ! 



= A'mi„-2 exp ( {l min ~ If f lQg A + \ogx R 

\ ^min ^ 



= A l rain- 2 CXp f — OR^b 



1) 



Due to our choice of R, ajj = -, -1 _ 2 log A — log xr is 
positive. In fact, we can choose R arbitrarily large, making 
xr arbitrarily small and ctR arbitrarily large. For t > R, we 
have 

xt < Zt 

= A exp (-a R (l min - I)*"*) 



A'ynin- 2 eXp 



CtR 



; (U-i)j 



Vrnin ) 

= A^^ exp (-/3(Un - 1)') 
Note that j3 = > °' Therefore ' 

we have 

£ f = O (exp(— /9(Zmin - 1)*)) as * 00 
To prove the second half, we note that for x £ [0, 1] 



Jo 1 Hx)dx i=lmu 
1 



A; 



.i-l 



< r x ( x ) 

lmin J \(x)dx 



Hi 



< 



1 



-x, 



hmn Jq 1 A(a;)da; 
^ y t = O (exp(-/3(Z mi n - 1)*)) 

Appendix B 
Proof of Thm.IToI 

The only sources of randomness in Algorithm |5] for a given 
large-girth graph G (at the end of Step[5]l are the permutation 
functions a and it. The probability distribution of lZ n given G 
is easier to analyze than that of lZ n when G is not specified. 
Clearly, Q is true whenever 



E (F b MP (C„,e)|G) = 0(exp(- Cl n C2 )) 



(6) 



is true uniformly for all possible G in Step [3] of Algorithm [5] 
Note that P b MP (C„,e) denotes the probability of bit-error 
after infinite iterations of the MP algorithm (or equivalently, 
when a stopping set is encountered). This probability is clearly 



less than the probability of bit-error after a finite number of 
iterations. Therefore |6]) is true whenever 

E(P b MP (C„,e,i(n))|G) < A(n) = O (cxp(- Cl n C2 )) (7) 

is true for some function t(n). The role played by the quantity 
A(n) is to ensure that we are able to upper bound the left hand 
side uniformly in G. We pick t(n) — alogn, where a > 
is such that g(lZ n ) > 4a log n + 2. We know that a exists 
because of the large-girth property of lZ n . Let et max be the 
maximum possible value for a. 

Proposition 11. For any S € (0, 1), there exists a natural 
number N such that for all n > N we have 



1 



(8) 



E(Pr(C n ,e,t(n))\G) < ^y t{n ){e) 

where y t ( n ) ( e ) is the quantity defined in Lemma |i] 
We know from Lemma [3] that 

y t( „ ) (e) = 0(exp(-/3(U„-l) t( " ) )) 
= 0(exp(-/3(Un-l) alog ")) 
= O (exp(-/3n alog ('- i "~ 1 ))) 

The above equation, along with Proposition [TT] completes the 
proof of the theorem. 

Consider the computation 



Proof of Proposition 11 



graph Ct of lZ n (we write t for t(n) to make the notation 
less cumbersome). Clearly, P(C t = T) > if and only if 
F(f t = T) > 0. 

Let T be any valid level-t tree in the sense that P(7t — T) > 
0. Let P e (T,e) be the probability that the root node of T is 
in error when the tree code associated with T is transmitted 
over BEC(e) and decoded with t iterations of the MP decoder. 
Note the following two equations 



Vt(e) 



E 



P(77 = T)P e (T,e) 



E (P b MP (C„,e,<)|G) = \^P( Ct - T\G)P e (T,e) 

From the above, we can see that the proof is complete once 
we show that for some natural number N, we have 

1 



P(Ct =T\G)< 



1 



for all n > N. 

Let T be a valid level-t tree with io being the degree of 
the root node. Let this tree have p t variable nodes of degree 
i (including the root node, but excluding the leaf nodes) and 
<7j check nodes of degree j. We have 



V(T t =T) =L lQ \ 



Pic 



i=3,i^i j=2 



(9) 



Now, consider Ct- The probability that the root node v has 
degree io is clearly Li . The io edges incident with v in lZ n 
will correspond to io edges in G incident with u, the parent 
node of v. Let 6(1), 6(2), . . . , b(io) be the io neighbours of u 
in G corresponding to those edges. Let c(l), c(2), . . . , c(i ) be 
the daughter nodes in !Z n corresponding to the same edges. 
The number of ways of choosing the permutation function it 
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such that node c(l) has degree j is equal to the number of We have 
ways of putting 6(1) into a slot that corresponds to degree , 
j, which is noPj. Note that these slots are numbered. Here, 1 > I 1 — 
no = In I [k Jq 1 Ada;^ is the number of left (right) vertices in 
G, where k is the LCM of all the degrees in (A,p). 
In general, whenever T is a valid level-t tree, we have 



n 



E<?j 



P(C t = T)=i i0 ("^ 1 )( Pi0 -l)! 

(n - 1 - Y!i=2 P* 



n \ 



! r 



n ! 



n 

II 



We note the following inequality. 

(n - 1 - E!:=2 X Pi) ! ("0 - Ej=; x min Qj 



n ! n ! 



(10) 



< 



(no-EK)^^- 1 (no-E^* 



(11) 



> 1- 



= 1- 



din 
no 



n 



n 



2a 2 "' 32 -l 



Qf2n M 

n 



The proof is complete once we show that 



1 - 



Jq 1 Ada 

n^ 



1 



(16) 



For this, we pick the constant a £ (0, a max ] small enough so 
that @2 < 0.5. Observe that for any 8 > 1 and a > 0, we have 



Substituting m 



Hm l-_ =1 (17) 

n— >oo \ n J 

i@ 2 in the left hand side of ( |16) , we have 

I TO (l-/3 2 )//3 2 I 



which goes to 1 as m — > oo. 



We also see that 



M n ^i>*o-i)! n n 



i=imin 



<i io (noA io )^o-i JJ ( noA ,)f [j („o Pi )« 



* = Zmin 



p^*)-^. ^pjo-i jj Af jj 



= (min j = r m in 



P(7i = T) 

Substituting (jTTJ and (jT2j in ( flO) , we get 

nft = t) 



T) < 



!_ EP*V EP<) "Vl-^ E9 ' 



(12) 



(13) 



The proof is complete once we show that 

1 - ^^L] -> 1 asn^oo 

(14) 



EftV Efthl ^EsA^ 3 



First, we note that Pi an( l E Qj g row exponentially in t. 
This means that there exist constants a% , a,i , /3i , /?2 > such 
that 



tin' 91 < 2jPi,2j?j < «2? 



(15) 
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